7.5

CVSS Score

Basic Information

CVE ID

CVE-2009-3695

GHSA ID

GHSA-p6m5-h7pp-v2x5

EPSS Score

CWE

CWE-400

Published

5/2/2022

Updated

9/16/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2009-3695

CVE-2009-3695:
Django Regex Algorithmic Complexity Causes Denial of Service

Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.

(GitHub Advisory)

7.5

CVSS Score

Basic Information

CVE ID

CVE-2009-3695

GHSA ID

GHSA-p6m5-h7pp-v2x5

EPSS Score

CWE

CWE-400

Published

5/2/2022

Updated

9/16/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Django	pip	>= 1.0, < 1.0.4	1.0.4
Django	pip	>= 1.1, < 1.1.1	1.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from inefficient regular expressions in Django's EmailField and URLField validation. The commit diff shows direct modifications to these regex patterns (email_re and url_re) in fields.py, replacing the backtracking-prone patterns. The CVE description explicitly identifies these fields as attack vectors, and the added test cases in fields.py confirm the exploit scenarios. The regex changes specifically limit repetition quantifiers and domain label lengths to prevent catastrophic backtracking.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*l*orit*mi* *ompl*xity vuln*r**ility in t** *orms li*r*ry in *j*n*o *.* ***or* *.*.* *n* *.* ***or* *.*.* *llows r*mot* *tt**k*rs to **us* * **ni*l o* s*rvi** (*PU *onsumption) vi* * *r**t** (*) *m*il*i*l* (*m*il ***r*ss) or (*) URL*i*l* (URL) t**t t

Reasoning

T** vuln*r**ility st*ms *rom in***i*i*nt r**ul*r *xpr*ssions in *j*n*o's *m*il*i*l* *n* URL*i*l* v*li**tion. T** *ommit *i** s*ows *ir**t mo*i*i**tions to t**s* r***x p*tt*rns (*m*il_r* *n* url_r*) in *i*l*s.py, r*pl**in* t** ***ktr**kin*-pron* p*tt*

7.5

Basic Information

Concerned about an active attack path?

CVE-2009-3695: Django Regex Algorithmic Complexity Causes Denial of Service

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2009-3695:
Django Regex Algorithmic Complexity Causes Denial of Service

Vulnerability Intelligence
Miggo AI